Docker WP Operations

Reusable operations workflow for WordPress projects running on Docker on EC2. Connects via SSH (with 1Password credentials) and runs Make targets for common operations tasks.

Trigger

on:
  workflow_call:

Typically called by an operations.yml workflow in the project repository, with workflow_dispatch to allow manual execution.

Inputs

Input	Type	Default	Required	Description
operation	string	--	Yes	Operation: backup-db, backup-full, cache-flush, wp-cli
wp-command	string	''	No	WP-CLI command (required if operation = wp-cli)
op-item-ec2	string	--	Yes	1Password item path for EC2 credentials (e.g. CI-MYPROJECT/AWS-EC2-docker-wp-myproject)
op-item-ssh-key	string	--	Yes	1Password item path for SSH key (e.g. CI-MYPROJECT/SSH-docker-wp-myproject-dev-key)
op-service-account-secret	string	'OP_SA_MYPROJECT'	No	Name of the GitHub secret holding the 1Password service account token

Secrets

Secret	Description
OP_SA_* (dynamic)	1Password service account token. The exact name is defined by the op-service-account-secret input

The calling repository must have a secret with the 1Password service account token that has access to the items referenced by op-item-ec2 and op-item-ssh-key.

Available operations

backup-db

Exports the database and downloads the .sql file:

1. Runs make backup-db on the server via SSH.
2. Downloads the .sql file via rsync.
3. Uploads as a GitHub Actions artifact (retention: 30 days).
4. Removes the backup from the server.

backup-full

Exports the database and uploads (media files):

1. Runs make backup on the server via SSH.
2. Downloads .sql and .tar.gz files via rsync.
3. Uploads as an artifact (retention: 30 days).
4. Removes backups from the server.

cache-flush

Flushes Redis and WP object cache:

1. Runs make cache-flush on the server via SSH.

wp-cli

Runs an arbitrary WP-CLI command:

1. Runs make wp CMD='<command>' on the server via SSH.
2. The wp-command input is required for this operation.

Jobs

validate-inputs

Validates that the provided operation is valid and that wp-command is filled when required.

run-operation

Runs in the production environment:

1. Load 1Password secrets — host, user, folder, and SSH key via 1password/load-secrets-action@v4.
2. Setup SSH — writes the private key and defines connection options.
3. Run the operation — backup, flush, or WP-CLI as specified.
4. Upload artifacts — for backup operations.
5. Cleanup — removes the SSH key from the runner (always runs, even on failure).

Usage example

# .github/workflows/operations.yml
name: Operations

on:
  workflow_dispatch:
    inputs:
      operation:
        description: Operation to run
        type: choice
        options:
          - backup-db
          - backup-full
          - cache-flush
          - wp-cli
      wp-command:
        description: WP-CLI command (only for wp-cli)
        type: string
        default: "plugin list"

jobs:
  ops:
    uses: middag-io/.github-private/.github/workflows/docker-wp-operations.yml@workflows-v1
    with:
      operation: ${{ inputs.operation }}
      wp-command: ${{ inputs.wp-command }}
      op-item-ec2: CI-MYPROJECT/AWS-EC2-docker-wp-myproject
      op-item-ssh-key: CI-MYPROJECT/SSH-docker-wp-myproject-dev-key
      op-service-account-secret: OP_SA_MYPROJECT
    secrets: inherit

1Password configuration

The 1Password items must have the following fields:

EC2 Item (referenced by op-item-ec2):

• EC2/host — server hostname or IP
• EC2/user — SSH user
• EC2/folder — project directory on the server

SSH Key Item (referenced by op-item-ssh-key):

• private_key — SSH private key